Bug ID 751512: CGN Inbound connections should not bypass AFM firewall rules

Last Modified: Apr 01, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,, 15.0.0, 15.0.1,,,,

Fixed In:

Opened: Nov 29, 2018
Severity: 3-Major


CGNAT inbound connections to an lsn-pool member IP address that are supposed to match a AFM firewall rule do not trigger a policy action.


Inbound connection's packet always bypass firewall rules.


-- AFM Provisioned. -- Inbound connection matches firewall rule.



Fix Information

AFM Firewall policy is now enforced on inbound connections as default behavior. Added sys db variable afm.inbound_conn.enforce_policies to disable AFM policy enforcement on inbound connection.

Behavior Change

A new sys db variable has been added, afm.inbound_conn.enforce_policies, to disable AFM policy enforcement on inbound connections. It can be set to enable or disable, and the default is enable.